Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack-buffer-overflow has occurred when running program svgpng in function gray_split_cubic at plutovg-ft-raster.c #157

Open
Du4t opened this issue Feb 24, 2024 · 0 comments
Open

stack-buffer-overflow has occurred when running program svgpng in function gray_split_cubic at plutovg-ft-raster.c #157

Du4t opened this issue Feb 24, 2024 · 0 comments

Comments

@Du4t
Copy link

Du4t commented Feb 24, 2024

Desctiption

heap-buffer-overflow has occurred when running program svgpng in function gray_split_cubic at /3rdparty/plutovg/plutovg-ft-raster.c:889:15

Version

commit d1eec967ec515395cfd669a1bfed8d5a6a119dde (HEAD -> master, origin/master, origin/HEAD)
Author: sammycage <sammycageagle@gmail.com>
Date:   Mon Jan 22 00:48:35 2024 +0100

Steps to reproduce

$ mkdir build
$ cd build
$ CFLAGS+="-fsanitize=address -fno-omit-frame-pointer -fsanitize-recover=address" cmake -DLUNASVG_BUILD_EXAMPLES=ON  ../
$ make -j8
$ ./svg2png ./poc0

=================================================================
==11365==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe7dfac360 at pc 0x55fcd922d1d5 bp 0x7ffe7dfabf10 sp 0x7ffe7dfabf00
WRITE of size 8 at 0x7ffe7dfac360 thread T0
    #0 0x55fcd922d1d4 in gray_split_cubic /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:889
    #1 0x55fcd922e356 in gray_render_cubic /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1000
    #2 0x55fcd922fe76 in PVG_FT_Outline_Decompose /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1361
    #3 0x55fcd92301fb in gray_convert_glyph_inner /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1400
    #4 0x55fcd9231168 in gray_convert_glyph /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1507
    #5 0x55fcd9232016 in gray_raster_render /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1608
    #6 0x55fcd92321fe in PVG_FT_Raster_Render /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1620
    #7 0x55fcd9227522 in plutovg_rle_rasterize /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-rle.c:262
    #8 0x55fcd921318e in plutovg_fill_preserve /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg.c:461
    #9 0x55fcd9212bb3 in plutovg_fill /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg.c:423
    #10 0x55fcd91fd709 in lunasvg::Canvas::fill(lunasvg::Path const&, lunasvg::Transform const&, lunasvg::WindRule, lunasvg::BlendMode, double) (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xf5709)
    #11 0x55fcd91f253a in lunasvg::FillData::fill(lunasvg::RenderState&, lunasvg::Path const&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xea53a)
    #12 0x55fcd91f2ce4 in lunasvg::LayoutShape::render(lunasvg::RenderState&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xeace4)
    #13 0x55fcd91f0a07 in lunasvg::LayoutContainer::renderChildren(lunasvg::RenderState&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xe8a07)
    #14 0x55fcd91f130a in lunasvg::LayoutSymbol::render(lunasvg::RenderState&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xe930a)
    #15 0x55fcd91bcaf2 in lunasvg::Document::render(lunasvg::Bitmap, lunasvg::Matrix const&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xb4af2)
    #16 0x55fcd91bcf03 in lunasvg::Document::renderToBitmap(unsigned int, unsigned int, unsigned int) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xb4f03)
    #17 0x55fcd91ba2cd in main (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xb22cd)
    #18 0x7fa7139e4082 in __libc_start_main ../csu/libc-start.c:308
    #19 0x55fcd91b411d in _start (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xac11d)

Address 0x7ffe7dfac360 is located in stack of thread T0 at offset 864 in frame
    #0 0x55fcd922d6d0 in gray_render_cubic /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:915

  This frame has 1 object(s):
    [48, 832) 'bez_stack' (line 916) <== Memory access at offset 864 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:889 in gray_split_cubic
Shadow bytes around the buggy address:
  0x10004fbed810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004fbed820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004fbed830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004fbed840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004fbed850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004fbed860: 00 00 00 00 00 00 00 00 f3 f3 f3 f3[f3]f3 f3 f3
  0x10004fbed870: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10004fbed880: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10004fbed890: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
  0x10004fbed8a0: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
  0x10004fbed8b0: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11365==ABORTING

POC

https://github.com/Du4t/POC/blob/main/lunasvg/poc0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Du4t